All news with #cryptojacking tag

🔎 Amazon GuardDuty provides specialized detections and runtime monitoring to identify and mitigate cryptocurrency mining in AWS. It analyzes VPC Flow Logs, DNS queries, CloudTrail events, and workload telemetry to surface findings such as CryptoCurrency:Runtime/BitcoinTool.B and Impact:Runtime/CryptoMinerExecuted. Enable GuardDuty across accounts and Regions and combine it with patching, least-privilege access, and preventive controls to reduce risk.

🔒 A 20-year-old California man, Marlon Ferro (aka GothFerrari), was sentenced to 78 months in prison after pleading guilty to serving as a home invader and money launderer for a criminal ring that stole over $250 million in cryptocurrency. Arrested on May 13, 2025, Ferro was found carrying two firearms and a fraudulent ID and was ordered to pay $2.5 million in restitution and serve three years of supervised release. Authorities say the conspiracy combined social engineering, hacking attempts, and physical burglaries to seize hardware wallets and launder funds through exchanges and mixers.

🚨 Researchers at Snyk warn that two authentication-bypass bugs in the open-source Qinglong task scheduler (affecting versions ≤2.20.1) have been chained to achieve remote code execution. The issues — CVE-2026-3965 and CVE-2026-4047 — stem from middleware authorization mismatches with Express.js routing, enabling unauthenticated access to admin endpoints. Active exploitation since early February has resulted in cryptominer deployments that run as a hidden '.fullgc' process and pull multiple binary variants from an external host. Users should apply the patched release and verify middleware authentication enforcement immediately.

🛡️ An active campaign is exploiting internet-exposed ComfyUI instances to recruit them into a cryptomining and proxy botnet. Censys researchers found attacker tooling that scans cloud IP ranges, abuses unsafe custom nodes for unauthenticated remote code execution, and installs miners (XMRig, lolMiner) and a Hysteria V2 proxy. The payloads persist via periodic retrieval of a ghost.sh script and use techniques such as LD_PRELOAD and chattr +i to resist removal, while a Flask-based C2 panel provides centralized control. Defenders are advised not to expose ComfyUI publicly, to require authentication, and to remove or audit any nodes that execute raw Python.

🔒 Gen Digital researchers describe a rapidly evolving info‑stealer named Torg Grabber that exfiltrates data from 850 browser extensions, including 728 cryptocurrency wallets. Initial access commonly uses a clipboard hijack and a ClickFix PowerShell trick; the payload runs in memory via reflective loading, direct syscalls and heavy obfuscation. Operators migrated exfiltration to HTTPS through Cloudflare and added an App‑Bound Encryption bypass to harvest Chromium cookie data.

📄 A targeted phishing campaign leverages fake French-language resumes containing heavily obfuscated Visual Basic Script droppers to steal enterprise credentials and deploy a Monero miner. The operation, tracked as FAUX#ELEVATE by Securonix, abuses legitimate services including Dropbox, compromised WordPress sites in Morocco for C2 configuration, and mail[.]ru SMTP accounts for exfiltration. The dropper uses sandbox-evasion techniques, a domain-join gate, and a persistent UAC loop to obtain admin privileges, disable defenses and execute its multi-stage toolkit rapidly.

🚨 BeatBanker is a sophisticated Android trojan targeting Brazilian users through counterfeit pages that mimic Google Play and legitimate services such as INSS Reembolso or Starlink. The malware installs in staged downloads, injects encrypted modules into RAM after device and country checks, and avoids analysis by detecting emulators. It deploys a Monero miner that evades power optimizers by playing near‑inaudible audio and uses Accessibility abuse to overlay screens and divert crypto transfers. Users should stick to official stores, scrutinize permissions, and run up‑to‑date anti‑malware.

🛡️Kaspersky researchers have uncovered BeatBanker, an Android malware campaign that lures victims with fake Starlink app pages and sideloaded APKs. The threat blends banking-trojan capabilities with a modified XMRig Monero miner and, in recent variants, deploys the BTMOB RAT for full device takeover. BeatBanker uses in-memory DEX loading, environment checks, a faux Play Store update prompt, and a near‑inaudible MP3-based persistence mechanism to evade detection.

🛡️ Trellix researchers describe a wormable cryptojacking campaign that lures victims with pirated software bundles to deploy a custom XMRig miner and a modular dropper that acts as installer, watchdog, payload manager, and cleaner. The binary uses command-line mode switching to install, restart, monitor, or self-destruct and contains a time-based logic bomb that triggers decommissioning after December 23, 2025. The actors abuse a flawed driver, WinRing0x64.sys (CVE-2020-14979), in a BYOVD chain to escalate privileges and boost RandomX hashrate by an estimated 15–50%. Responders advise blocking vulnerable drivers, scanning for artifacts, restricting removable media execution, enforcing least privilege, and applying relevant patches.

🛡️ Trellix uncovered a multi-stage cryptojacking campaign that spreads via pirated software installers and deploys a customized XMRig miner alongside a stateful controller. The dropper installs a primary Explorer.exe controller and multiple watchdog processes for persistence, with a hardcoded expiry of December 23, 2025. Attackers load a signed vulnerable driver (WinRing0x64.sys/CVE-2020-14979) to gain kernel access and disable CPU prefetchers, boosting Monero RandomX performance by an estimated 15–50%. Researchers observed connections to the Kryptex pool and recommend enabling Microsoft's vulnerable driver blocklist, restricting USB access and blocking known mining pool traffic.

⚠️ Researchers at Datadog Security Labs report threat actors are exploiting the React2Shell vulnerability (CVE-2025-55182) in React 19 to execute code on servers and then target NGINX instances managed with Boato Panel, focusing on several Asian TLDs and Chinese hosting. Attackers use automated, multi-stage toolkits to discover targets, persist, and write malicious NGINX configs that redirect traffic for cryptomining, credential phishing, or malware delivery. Defenses include prompt patching, locking down configuration files, maintaining configuration records, and monitoring NGINX advisories.

🔒 Researchers at Pillar Security recorded over 35,000 attack sessions in a 40-day window revealing a large-scale operation they call Bizarre Bazaar, an instance of LLMjacking that monetizes exposed LLM endpoints. The campaign targets misconfigured self-hosted models, unauthenticated APIs (notably Ollama on port 11434 and OpenAI-compatible services on port 8000), and publicly accessible MCP servers. Compromised endpoints are used for cryptocurrency mining, reselling API access through a marketplace dubbed silver[.]inc, data exfiltration, and lateral movement into internal systems.

🔍 A malicious PyPI package named sympy-dev was found impersonating SymPy, copying the legitimate project's description to trick users; it has been downloaded over 1,100 times since its January 17, 2026 publication. Socket's analysis shows select symbolic-math routines were modified to retrieve a remote JSON configuration and download an ELF payload that launches an XMRig miner. The backdoor executes the ELF binary directly in memory via memfd_create and /proc/self/fd to reduce on-disk artifacts and only triggers when specific polynomial functions are invoked to remain stealthy.

🔒 New research from Pentera Labs shows that internal testing, demo, and training applications left in default or misconfigured states are being used as entry points into enterprise cloud environments. The team found popular vulnerable apps such as Hackazon, DVWA, and OWASP Juice Shop exposed on major cloud platforms and sometimes tied to overly permissive IAM roles. Attackers have leveraged these exposures to deploy crypto miners, webshells, and persistence mechanisms; Pentera recommends inventorying assets, enforcing least privilege, isolating labs from production, and expiring temporary test environments.

🔥 The RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to compromise vulnerable Next.js servers and deploy malware, including coinminers and Mirai-like components. CloudSEK reports scanning began on December 8 with active deployments starting December 11, and Shadowserver counts over 94,000 exposed assets. The botnet also conducts hourly IoT exploitation waves to enroll routers and uses loaders that remove competing malware and enforce persistence.

⚠️A typosquatted domain impersonating the MAS Windows activation tool — get.activate.win instead of the legitimate get.activated.win — was used to serve malicious PowerShell scripts that deploy the Cosmali Loader. Victims reported intrusive pop-up warnings claiming a Cosmali infection after mistyping the domain while running activation commands. Researcher RussianPanda linked the loader to cryptomining utilities and the XWorm RAT. MAS maintainers urged users to verify commands, avoid retyping URLs, and test remote code in sandboxes before execution.

⚠️ Amazon's GuardDuty team is tracking an ongoing cryptomining campaign that uses compromised Identity and Access Management (IAM) credentials to abuse EC2 and ECS resources. The attacker deployed an yenik65958/secret Docker Hub image containing the SBRMiner-MULTI miner and configured large ECS tasks and auto-scaling EC2 groups to maximize mining. The actor also enabled instance termination protection to hinder remediation; Amazon has removed the malicious image, alerted affected customers, and recommends rotating compromised IAM credentials while following GuardDuty mitigation guidance.

⚠️ Amazon GuardDuty and AWS automated monitoring identified a coordinated crypto‑mining campaign beginning November 2, 2025, that used compromised IAM credentials to deploy miners on Amazon EC2 and Amazon ECS. Attackers enumerated quotas and permissions, launched large EC2 fleets and ECS Fargate tasks from a malicious Docker Hub image, and used persistence techniques such as disabling API termination and creating public Lambda URLs. GuardDuty Extended Threat Detection correlated signals to surface critical attack sequences and AWS provides IoCs and mitigation guidance including strong identity controls, CloudTrail logging, Runtime Monitoring, and remediation playbooks.

🚨 Amazon detected a campaign on Nov 2, 2025 that used compromised IAM credentials to rapidly deploy cryptocurrency miners across ECS Fargate and EC2, with miners running within ten minutes of initial access. The adversary used DryRun-based discovery to validate permissions, created service-linked roles and dozens of ECS clusters, and registered a malicious DockerHub image to launch mining with the RandomVIREL algorithm. Attackers also set disableApiTermination=True on EC2 instances to hinder remediation; Amazon recommends enforcing MFA, least privilege, temporary credentials, container scanning, CloudTrail logging and enabling GuardDuty.

⚠ Huntress reports widespread exploitation of the maximum-severity React Server Components flaw CVE-2025-55182, with attackers leveraging vulnerable Next.js instances to deploy cryptocurrency miners and multiple novel Linux malware families. Observed payloads include the PeerBlight backdoor, CowTunnel reverse proxy and ZinFoq post-exploitation implant, alongside droppers that fetch XMRig, Sliver C2 and Kaiji variants. Activity since early December 2025 has targeted many sectors — notably construction and entertainment — and shows signs of automated scanning and exploitation tools that sometimes deploy Linux payloads to Windows hosts. Organizations should update react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack immediately and hunt for indicators of compromise.